Error on Delta and Full Sync FIMMA to AD MA
Part 1
Hi Everyone
I trying to make work the join rules, they are working. But I have an issue.
Whe I make changes on HR that is my DS auth the chages go to FIM but they dont go to AD, and when I delete a object from HR the object is deleted from AD and FIM.
Also I have 6 ERE for each user on FIM I dont know Why, I add all the info of my FIM configuration below, hopefully you can help me out guys.
Cheers
When I ran Delta Sync or Full Sync Run profiles I got the follow error:
Error Information
Running management agent
FIM MA
Error
Extension-dll-exception
Synchronization step
Export Flow
Retry count
2
Extension name
FunctionLibrary.dll
Extension Rule
Export-flow
Extension context
<export-flow allows-null="false"><src><attr>displayName</attr></src><dest>dn</dest><scoping></scoping><fn
id="+" isCustomExpression="false"><arg>"CN="</arg><arg>displayName</arg><arg>",OU=TestUsers,CN=kiasvan,CN=ca"</arg></fn></export-flow>
Destination management agent
AD MA
Destination object
CN=Zuleica Morales Morales,OU=TestUsers,DC=kiasvan,DC=ca
Mapping type
Direct
Data Source attribute
dn
Stack Trace Info
Microsoft.MetadirectoryServices.FunctionEvaluationException: Error encountered during evaluation of Sync Rule: 'AD OUT Users'. Details: The partition filter criteria for management agent "AD" do not include an object with DN "CN=Zuleica Morales Morales,OU=TestUsers,CN=kiasvan,CN=ca"
and object classes top, person, organizationalPerson, user.
at Microsoft.MetadirectoryServices.FunctionLibrary.AttributeFlowMappingHandler.ExecuteOutboundTransformation(CSEntry csentry, MVEntry mventry, String strSyncRuleGuid, String xmlExpression, String workflowParameterTypes, String workflowParameterValues)
August 20th, 2010 8:48pm
Part2
FIMMA Config
Object Types
• DetectedRuleEntry
• ExpectedRuleEntry
• Person
• SynchronizationRule
Connector Filter
Person: Declared
Filter
Attribute
Operator
Value
1
AccountName
Equals
Administrator
2
DisplayName
Equals
Built-in Synchronization Account
Object Type Mappings
Data Source Object Type
Metaverse Object Type
DetectedRuleEntry
DetectedRuleEntry
ExpectedRuleEntry
ExpectedRuleEntry
Person
Person
SynchronizationRule
SynchronizationRule
Flow Attributes
Data Source Attribute
Flow Direction
Metaverse Attribute
Type
Flow Nulls
dn
Export
Sync-rule-mapping-expression
MVObjectID
Export
<objectid>
Direct
AccountName
Export
accountName
Direct
DisplayName
Export
displayName
Direct
Allow
EmployeeID
Export
employeeID
Direct
FirstName
Export
firstName
Direct
LastName
Export
lastName
Direct
MiddleName
Export
middleName
Direct
Company
Export
company
Direct
Manager
Export
manager
Direct
OfficePhone
Export
officePhone
Direct
Department
Export
Department
Direct
OfficeLocation
Export
officeLocation
Direct
RFC
Export
RFC
Direct
Address
Export
Address
Direct
AD
Export
AD
Direct
Domain
Export
domain
Direct
ObjectSID
Export
objectSid
Direct
<dn>
Import
csObjectID
Direct
AccountName
Import
accountName
Direct
DisplayName
Import
displayName
Direct
EmployeeID
Import
employeeID
Direct
FirstName
Import
firstName
Direct
LastName
Import
lastName
Direct
MiddleName
Import
middleName
Direct
Company
Import
company
Direct
Manager
Import
manager
Direct
OfficePhone
Import
officePhone
Direct
ExpectedRuleList
Import
expectedRuleList
Direct
Domain
Import
Domain
Direct
ObjectSID
Import
objectSID
Direct
Department
Import
Department
Direct
OfficeLocation
Import
OfficeLocation
Direct
RFC
Import
RFC
Direct
OU
Import
ou
Direct
AD
Import
AD
Direct
Deprovisioning
• Stage a delete on the object for the next export run
HR MA Config
No configuration at all
Deprovisioning
• Make them Disconnectors
AD MA Config
Object Types
• Container
• DomainDNS
• OrganizationalUnit
• User
Join and Projection Rules
User: Join:yes, Projection:no
Mapping Group
Action
Metaverse Object Type
Resolution
1
Join
person
No
extensionAttribute1
Direct
employeeID
Deprovisioning
• Stage a delete on the object for the next export run
All of the MA's have the follow RUN Profiles
Run Profiles
Management Agent
Full Import
All
Full Sync
All
Delta Import
FIM MA and AD MA
Delta Sync
FIM MA and AD MA
Export
FIM MA and AD MA
Free Windows Admin Tool Kit Click here and download it now
August 20th, 2010 9:24pm
The problem is here:
Microsoft.MetadirectoryServices.FunctionEvaluationException: Error encountered during evaluation of Sync Rule: 'AD OUT Users'.
Details: The partition filter criteria for management agent "AD" do not include an object with DN "CN=Zuleica Morales Morales,OU=TestUsers,CN=kiasvan,CN=ca" and object classes top, person, organizationalPerson, user.
You have either not imported the partition information on your ADMA yet or your DN is wrong.
Are you sure that your DN ends with CN=kiasvan,CN=ca?
I would expect something like DC=kiasvan,DC=ca.
Cheers,
Markus
Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation
August 20th, 2010 9:39pm
Part 4
WF Config
HR WF config
General
Activities
Name
Type
Run on Policy Update
Target Resource to Sync Rule
HR WF
Action
No
HR SR
AD OUT WF config
General
Activities
Name
Type
Run on Policy Update
Target Resource to Sync Rule
AD OUT WF
Action
No
AD OUT SR
AD IN WF config
General
Activities
Name
Type
Run on Policy Update
Target Resource to Sync Rule
AD OUT WF
Action
No
AD IN SR
Free Windows Admin Tool Kit Click here and download it now
August 20th, 2010 9:52pm
Part 5
Set Config
General (Name)
Criteria-based Members (Select USER that match ALL of the following condition)
AD SET
AD is 1
August 20th, 2010 9:54pm
Part 6
MPR Config
All the MPR are activated
HR MPR config
General
Requestors and Operations
Target Resources
Policy WF
Name
Type
Dis
Requestor
Operation
Permissions
Before
After
Attrib
Auth
AutZ
Action
HR
Request
No
All people
Create, Delete
Grant
All people
All people
All
No
No
HR WF
AD USR CREATE MPR config
General
Requestors and Operations
Target Resources
Policy WF
Name
Type
Dis
Requestor
Operation
Permissions
Before
After
Attrib
Auth
AutZ
Action
AD ..
Request
No
All people
Create
Grant
N/A
AD SET
AD
No
No
AD OUT WF
AD USR MODIFY MPR config
General
Requestors and Operations
Target Resources
Policy WF
Name
Type
Dis
Requestor
Operation
Permissions
Before
After
Attrib
Auth
AutZ
Action
AD ..
Request
No
All people
Modify
Grant
All people
All people
All
No
No
AD OUT WF
AD USR DELETE MPR config
General
Requestors and Operations
Target Resources
Policy WF
Name
Type
Dis
Requestor
Operation
Permissions
Before
After
Attrib
Auth
AutZ
Action
AD ..
Request
No
All people
Delete
Grant
All people
N/A
All
No
No
AD OUT WF
AD USR IN MPR config
General
Requestors and Operations
Target Resources
Policy WF
Name
Type
Dis
Requestor
Operation
Permissions
Before
After
Attrib
Auth
AutZ
Action
AD ..
Request
No
All people
Create
Grant
N/A
All people
All
No
No
AD IN WF
Free Windows Admin Tool Kit Click here and download it now
August 20th, 2010 9:58pm
part 7
Attribute Flow Precedence
All the attributes have "Use Equal precedence"
Object Deletion Rule
Object affected: Person
Delete metaverse object when connector from any of the following management agents is disconnected: "HR MA"
Notes:
All the custom attributes had been add to the follow MPR and filters
Administration: Administrators can read and update Users Administrator Filter Permission Non-Administrator Filter Permission
August 20th, 2010 10:00pm
Hi Markus you were right I didnt see that I was sendin a bad value to the dn attribute I´ll already chage it and it works good.
Cheers Markus
Free Windows Admin Tool Kit Click here and download it now
August 20th, 2010 10:24pm
Kichitan, I'm glad to hear that it works for you.
One last thing :o) - please mark questions as answered - if this is true.
While we - as moderators - can do this, we don't really want to...
Happy FIMing,
Markus
Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation
August 20th, 2010 11:01pm